Solved Malware Help

[Zeb]

Hi there, any help with this matter would be great.

Computer seems to have picked up something. Problems include the following:


* Google Chrome Stopped loading pages. The program loads, however pages do not and I am then presented with a dialog box asking me to kill the pages.

* Automtic Update has disappeared from the taskbar. When I try to do a manual update through the link from the start menu, IE loads up then gives me an error that it cannot connect. (Note when I was following the 8 step instructions, I installed the new version of Java and Automatic Update seemed to reappear, download 100% of updates and then then disappear again so I could not install them).

* Firefox was running slow and IE constantly rediects me. For instance when I search in google and then click on a link I get redirected other places like download spyware doctor but also to other site as well, not always spyware ones.


I've tried all sorts and run programs such as AVG, Avast!, malwarebytes, superantispyware, spybot serach and destroy etc, and while they sometimes find things they cant seem to cure the problem.

So last resort I've followed the 8 step instructions and attached my log files. Thank you.

 

[Bobbye]

Malware isn't as obvious as the very old version of Java is.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer before continuing!***

• Double-click on JavaRa.exe to start the program.
• Choose Englishfrom the drop-down menu and click on
  Select.
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
• Click Yes when prompted.
• When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
• A logfile will pop up. Please save it to a convenient location.

Then download and install Java Runtime Environment (JRE) 6 Update X
Java Updates

After that has been completed:
Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  
• Double click on the setup file on the desktop to run
• If prompted to download and install the Recovery Console, please do so.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
• If prompted to update, please allow.
• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

.
Follow with:
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please paste both the Combofix report and Eset log into your next reply.

 

[Zeb]

Ok thanks I'll try that now. incidentally just trying to get to this forum is a nightmare due to IE redirecting me off in every direction.

Also im going to attach the log malwarebytes gave me the day the problems started, 25/03/10.

thank you.

 

[Bobbye]

Well you sure had a 'bunch' of malware! But the current Mbam log is clean- this is amazing judging by the Rootkit and other infections that were on the system 3 days ago!

Let's see what comes up in the Combofix report and Eset scan. Please don't run any other cleaning programs or make Registry changes while we're working together. You've come a long way, believe it or not!

 

[Zeb]

Hi Bobbye

man in those three days since this computer has been playing up I have ran every defence program under the sun so I would hope it cleared some of it Thing is its my mothers system and if it had been down to me I would have done a format clean install by now and updated all her programs, but she is paranoid and wont allow it.

Anyway I have run all those checks you asked me to and it seems like some trojans are present. I've attached the files and thanks again, I really appreciate the help.

I await further instructions.

 

[Zeb]

incidentally, both google chrome and automatic updates (and windows update website) all seem to be working again, though i have not done any updates as I await your instructions instead.

 

[Bobbye]

Zeb, one of the entries in Eset is a quarantined file from Combofix. Qoobax is the name of the folder when those files are kept.

Before I write any script from Combofix, I'd like you run the following:

Download TDSSKiller. Extract the zipped file to your desktop.

Go to Start ->Run. Type/Copy and Paste the following text into the prompt:

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v

• This will have the program write a detailed log
• The screen will resemble this black screen:

• If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
• After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list..
• You should get a screen like this:

• A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).
• Follow the prompts and attach the report to your next reply.

It's going to be tomorrow before I can finish this up. I have most of the script writing, but would like to incorporate any entries from TDSS if needed.

By the way, just want to let you know that I'll have you remove all the cleaning tools and logs they created, as well as old restore points when we' re through.

 

[Zeb]

Hmmm I have done that, but TDSSKiller seems to do nothing? What I mean is that it takes less then a second to run and then comes back with 0 found and no restart or anything.

Still I'll post the report.

 

[Bobbye]

Okay. It would be great if everything we ran found what we wanted and we could remove it. The we could use the same 5 programs for everyone. Problem is that the guys who write the malware learn how to get around it so we have to use another program. It's just how things work Zeb.

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\documents and settings\All Users\Application Data\TEMP
C:\AUTOEXEC.BAT
c:\windows\system32\pool.bin

Dir::
c:\windows\SoftwareDistribution.old

Folder::
c:\windows\Pgeser.dat   
c:\windows\Ogatapiwesonoc.bin 
c:\program files\Easy Internet signup


Registry::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

Then rescan with HijackThis and paste the new log in your next reply. If the script works and the HJT is okay, we can remove the cleaning tools.

 

[Zeb]

Hi Bobbye. I have done as you asked and attached the files. I await further instruction. Thank you.

 

[Zeb]

hi bobbye

do you have any updates on this? i'm really not sure what the last two logs are telling us, but my system seems to be clean.

are there any more actions or should i delete the programs you asked me to install? and will the quarantined virus/malware be deleted with them?

Thanks

 

[Bobbye]

Sorry Zeb- didn't get notice of your reply.
I see this in the Combofix report: C:\Email Backup. There is nothing wrong with it- I just want to caution you. I sometimes see logs when running an online AV scan where email that has been backed up is infected with malware. Sometimes it goes back years. So be sure what you back up is clean first.

Check Ad/Remove Programs in the Control Panel> I don't see the Java v6u19- did you download that after removing the older versions?
Check this site:Java Updates

You still have some AVG entries. Please run this removal tool: AVG Removal: Note: You may have to reinstall AVG to uninstall it fully.

Scan once more with Eset online. Leave the log to make sure you're clean.

 

[Zeb]

Hi bobbye

sorry for the delay, I've been a bit busy over the easter holiday.

I've done everything you ask, the java files I updated after uninstalling the old one. I checked and I am running the latest version 6.19

regarding C:/email backup that is just a file I made when I installed thunderbird over the last few days. I dont need it and have deleted it.

I've ran ESET and its found the same two trojans it found last time. however both times I didnt ask it to delete them, so I would asume they've just stayed on the system.

I've attached the log from the location you suggested the last time, however it seems to be the old log from the first scan I did?

Thanks.

 

[Bobbye]

I tried to put the Eset removal in the Combofix script. Although it looked like it was gone, apparently it wasn't. Please do the following:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  C:\AUTOEXEC.BAT	Win32/Delf.PBU trojan
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

See if this removes it. If not, I'll change the entry. We don't usually put the name of the malware in, but this looks like it's part of the string.

 

[Zeb]

I've tried the above process, but after i've paste in the code and pressed Moveit!, i'm presented with the following error dialog box:

error
invalid time flag![Delf.PBU trojan]
must be numerical


I then click ok and it leaves me hanging with no start bar, so i have to open task manager and log off and back in that way.

No logs have been created due to this.

 

[Bobbye]

My bad!

See if this removes it. If not, I'll change the entry. We don't usually put the name of the malware in, but this looks like it's part of the string.

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  C:\AUTOEXEC.BAT
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

[Zeb]

Hi Bobbye

Attached is the log file produced by OTM.

Should I run any scans now?

Thanks

 

[Bobbye]

Zeb, how is the system working now? We've removed or moved the 'bad' files- are you still having any of the original problems? Let me know and if they have been resolved, I'll have you remove the cleaning tools and old restore points.

 

[Zeb]

hi bobbye

the system is working great now. none of the original problems I initially listed still exist. the only thing which isn't appearing in the yellow automatic update icon in the taskbar tray. however I am assuming this is because the system is totally up to date now with no urgent updates required. I am now able to visit the windows update site and update from there now, and it tells me I have no outstanding updates to make.

so with all that in mind, what's next?

 

[Bobbye]

'With all that in mind' I will say that your system is clean! So how about Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Please follow these simple steps to keep your computer clean and secure:

• 
  1.Disable and Enable System Restore: See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
  2.Stay current on updates:
• Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
• Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
  3.Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.
  4.Remove Temporary Internet Files regularly: Use ATF Cleaner by Atribune or TFC
  5. Use an AntiVirus Software(only one)
  See Virus, Spyware, and Malware Protection and Removal Resources
  6.Use a good, bi-directional firewall(one software firewall) I recommend either of these software firewalls.- both are free and good:
  Comodo or Zone Alarm
  7.Consider these programs for Extra Security
• Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
• IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Google Toolbar Get the free google toolbar to help stop pop up windows.

I'll close this thread Zeb, but if these same problems come up again, please send me a PM with this URL. And if I can be of further assistance, please let me know. .